Information Security: Computer Attacks at Department of Defense Pose Increasing Risks
AIMD-96-84
Published: May 22, 1996. Publicly Released: May 22, 1996.
Skip to Highlights
Highlights
Pursuant to a congressional request, GAO reviewed the extent to which Department of Defense (DOD) computer systems are attacked, focusing on the: (1) potential for further damage to DOD computer systems; and (2) challenges DOD faces in securing sensitive information on its computer systems.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | To better focus management attention on DOD's increasing computer security threat and to ensure that a higher priority and sufficient resources are devoted to addressing this problem, the Secretary of Defense should strengthen the DOD computer security program by developing departmentwide policies for preventing, detecting, and responding to attacks on DOD information systems, including mandating that: (1) all security incidents be reported within DOD; (2) risk assessments be performed routinely to determine vulnerability to attacks and intrusions; (3) vulnerabilities and deficiencies be expeditiously corrected as they are identified; and (4) damage from intrusions be expeditiously assessed to ensure the integrity of data and systems compromised. |
Closed – Implemented
DOD concurred fully with the recommendation, noting that implementation of information systems security was not uniformly and comprehensively addressed departmentwide. DOD cited some actions that were already under way during GAO's review, including the military services' establishment of incident response organizations and use of intrusion detection software. Since GAO's review, DOD has established the Defense-wide Information Assurance Program (DIAP) and the Joint Task Force Computer Network Defense (JTF - CND) in recognition of the findings in the report and the need for strengthening computer security across the department. In addition, DOD has issued Chairman of the Joint Chiefs of Staff Instruction (JCS) 6510.01B, Defensive Information Operations Implementation, dated 22 August 1997, requires security incident reporting, risk assessments, correction of vulnerabilities, and damage assessments.
|
| Department of Defense | To better focus management attention on DOD's increasing computer security threat and to ensure that a higher priority and sufficient resources are devoted to addressing this problem, the Secretary of Defense should strengthen the DOD computer security program by requiring the military services and DOD agencies to use training and other mechanisms to increase awareness and accountability among installation commanders and all personnel as to the security risks of computer systems connected to the Internet and their responsibility for securing their systems. |
Closed – Implemented
DOD agreed fully with the recommendation and cited some efforts under way at the time of GAO's review, including budgeting funds in fiscal years 1997 through 2001 for information security education and awareness. The Assistant Secretary of Defense for Command, Control, Communications and Intelligence agreed to direct a thorough departmentwide assessment of its overall efforts to make users more aware and trained in matters involving information security risks in general, risks of being connected to the Internet, and individual responsibility and accountability for securing systems. Since then, JCS Instruction 6510.01B has been approved which requires the use of training and greater awareness for all Defense personnel. In addition, the DIAP and JTF - CND indicate that better training and increased awareness are key to improving departmentwide computer security and will be accomplished.
|
| Department of Defense | To better focus management attention on DOD's increasing computer security threat and to ensure that a higher priority and sufficient resources are devoted to addressing this problem, the Secretary of Defense should strengthen the DOD computer security program by requiring information system security officers at all installations and setting specific standards for ensuring that these as well as system and network managers are given sufficient time and training to perform their duties appropriately. |
Closed – Not Implemented
DOD concurred fully with the recommendation. It agreed to direct that all military installations review and ensure that they have personnel assigned to information systems security officer, network manager, and system administrator responsibilities. DOD also agreed to expeditiously determine the extent of shortfalls and determine the efforts and resources required to improve the training and availability of these responsible personnel. This departmentwide assessment showed that many DOD information security staff are leaving for more lucrative jobs in the private sector. Also, no career track for information security staff exists, which has hampered efforts to recruit and retain quality personnel.
|
| Department of Defense | To better focus management attention on DOD's increasing computer security threat and to ensure that a higher priority and sufficient resources are devoted to addressing this problem, the Secretary of Defense should strengthen the DOD computer security program by continually developing and cost-effectively using departmentwide network monitoring and protection technologies. |
Closed – Implemented
DOD concurred fully with the recommendation. The military services initiated programs to employ more intrusion detection software in their systems. DOD implemented its Joint Intrusion Detection System, which consolidated several ongoing technical initiatives designed to prevent and eradicate viruses, as well as detect and provide real-time responses to intrusions. Further, JCS Instruction 6510.01B requires the use of departmentwide network monitoring, automated alerting mechanisms, post attack analysis and other technologies to strengthen DOD's computer security.
|
| Department of Defense | To better focus management attention on DOD's increasing computer security threat and to ensure that a higher priority and sufficient resources are devoted to addressing this problem, the Secretary of Defense should strengthen the DOD's computer security program by evaluating the incident response capabilities within DISA, the military services, and DOD agencies to ensure that they are sufficient to handle the projected threat. |
Closed – Not Implemented
DOD concurred fully with the recommendation and initially acknowledged the limited capability of its incident response efforts. Since the report, DOD has established the Joint Task Force - Computer Network Defense, which intends to ensure that departmentwide incident response capability is sufficient. On May 3, 1999, and in response to this recommendation, DOD completed an evaluation of its defensive information operations, organizations, and activities--including incident response capabilities. The evaluation helped DOD identify opportunities for improving computer network defensive operations but did not ensure that incident response capabilities were sufficient to handle projected threats. In March 2001, GAO reported that DOD faced a number of challenges to improving incident response capabilities (GAO-01-341) and recommended several ways for DOD to better protect systems and networks from cyber threats and attacks. DOD concurred with information presented in the report and agreed to implement the recommendations as soon as practicable. According to a senior DOD official, this action will ensure that DOD has been fully responsive to GAO's 1996 audit recommendation.
|
| Department of Defense | The Secretary of Defense should assign clear responsibility and accountability within the Office of the Secretary of Defense, the military services, and DOD agencies for ensuring successful implementation of this computer security program. |
Closed – Implemented
DOD concurred fully and has updated its information security policy and directives to make selected information security practices mandatory and improve accountability among all department users. Most importantly, JCS Instruction 6510.01B assigns and fully discloses the computer security responsibilities of all DOD, as well as NSA, officials. Specific responsibilities are delineated for the Director for Intelligence, DIA; J-3; J-6; Commander in Chief, U.S. Space Command; Director, NSA; CINCs; military services; and defense agencies.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Communication securityComputer crimesComputer networksComputer protection softwareComputer securityComputer security policiesComputer virusesConfidential communicationsFirewallsHackersInformation infrastructureInformation securityInternetMilitary communicationNetwork administratorsTerrorismTerroristsTrojan horsesSniffers